[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: 4-byte script triggers null ptr deref and segfault
|
From: |
Pádraig Brady |
|
Subject: |
Re: 4-byte script triggers null ptr deref and segfault |
|
Date: |
Thu, 17 Sep 2015 19:01:23 +0100 |
|
User-agent: |
Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.6.0 |
On 17/09/15 18:20, Greg Wooledge wrote:
> On Thu, Sep 17, 2015 at 11:50:44AM -0500, Brian Carpenter wrote:
>> While fuzzing GNU bash version 4.3.42(1)-release
>> (x86_64-unknown-linux-gnu) with AFL(http://lcamtuf.coredump.cx/afl), I
>> stumbled upon a 4-byte 'script' that triggers a null ptr deref and causes a
>> segfault.
>>
>> https://savannah.gnu.org/support/index.php?108885
>
> Well, that's an annoying web-to-mail interface. It didn't include the
> full bug report?
>
> The web page says the hexdump of the attached script is 3b21 2620
> which I would normally interpret as `;!& '.
>
> But the attached script itself is actually `!; &'. Apparently the
> hex dump tool in question is doing some sort of 16-bit grouping with
> little endian byte swapping.
>
> After getting the correct content into the script, I can reproduce
> this on HP-UX in 4.3.39:
>
> imadev:~$ printf '!; &' > x
> imadev:~$ bash x
> Segmentation fault (core dumped)
FWIW _not_ reproduced with bash-4.3.39-1.fc22.x86_64